capabilities: remove the task from capable LSM hook entirely (6a9de491) · Commits · 戴 / test

include/linux/security.h

+7 −9

Original line number	Diff line number	Diff line
		@@ -53,8 +53,8 @@ struct user_namespace;
		* These functions are in security/capability.c and are used
		* as the default capabilities functions
		*/
		extern int cap_capable(struct task_struct tsk, const struct cred cred,
		struct user_namespace *ns, int cap, int audit);
		extern int cap_capable(const struct cred cred, struct user_namespace ns,
		int cap, int audit);
		extern int cap_settime(const struct timespec ts, const struct timezone tz);
		extern int cap_ptrace_access_check(struct task_struct *child, unsigned int mode);
		extern int cap_ptrace_traceme(struct task_struct *parent);
		@@ -1261,7 +1261,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
		* @capable:
		* Check whether the @tsk process has the @cap capability in the indicated
		* credentials.
		* @tsk contains the task_struct for the process.
		* @cred contains the credentials to use.
		* @ns contains the user namespace we want the capability in
		* @cap contains the capability <include/linux/capability.h>.
		@@ -1385,8 +1384,8 @@ struct security_operations {
		const kernel_cap_t *effective,
		const kernel_cap_t *inheritable,
		const kernel_cap_t *permitted);
		int (capable) (struct task_struct tsk, const struct cred *cred,
		struct user_namespace *ns, int cap, int audit);
		int (capable) (const struct cred cred, struct user_namespace *ns,
		int cap, int audit);
		int (quotactl) (int cmds, int type, int id, struct super_block sb);
		int (quota_on) (struct dentry dentry);
		int (*syslog) (int type);
		@@ -1867,7 +1866,7 @@ static inline int security_capset(struct cred *new,
		static inline int security_capable(struct user_namespace *ns,
		const struct cred *cred, int cap)
		{
		return cap_capable(current, cred, ns, cap, SECURITY_CAP_AUDIT);
		return cap_capable(cred, ns, cap, SECURITY_CAP_AUDIT);
		}

		static inline int security_real_capable(struct task_struct tsk, struct user_namespace ns, int cap)
		@@ -1875,7 +1874,7 @@ static inline int security_real_capable(struct task_struct *tsk, struct user_nam
		int ret;

		rcu_read_lock();
		ret = cap_capable(tsk, __task_cred(tsk), ns, cap, SECURITY_CAP_AUDIT);
		ret = cap_capable(__task_cred(tsk), ns, cap, SECURITY_CAP_AUDIT);
		rcu_read_unlock();
		return ret;
		}
		@@ -1886,8 +1885,7 @@ int security_real_capable_noaudit(struct task_struct *tsk, struct user_namespace
		int ret;

		rcu_read_lock();
		ret = cap_capable(tsk, __task_cred(tsk), ns, cap,
		SECURITY_CAP_NOAUDIT);
		ret = cap_capable(__task_cred(tsk), ns, cap, SECURITY_CAP_NOAUDIT);
		rcu_read_unlock();
		return ret;
		}

security/apparmor/lsm.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -136,16 +136,16 @@ static int apparmor_capget(struct task_struct target, kernel_cap_t effective,
		return 0;
		}

		static int apparmor_capable(struct task_struct task, const struct cred cred,
		struct user_namespace *ns, int cap, int audit)
		static int apparmor_capable(const struct cred cred, struct user_namespace ns,
		int cap, int audit)
		{
		struct aa_profile *profile;
		/* cap_capable returns 0 on success, else -EPERM */
		int error = cap_capable(task, cred, ns, cap, audit);
		int error = cap_capable(cred, ns, cap, audit);
		if (!error) {
		profile = aa_cred_profile(cred);
		if (!unconfined(profile))
		error = aa_capable(task, profile, cap, audit);
		error = aa_capable(current, profile, cap, audit);
		}
		return error;
		}

security/commoncap.c

+7 −9

Original line number	Diff line number	Diff line
		@@ -66,7 +66,6 @@ EXPORT_SYMBOL(cap_netlink_recv);

		/**
		* cap_capable - Determine whether a task has a particular effective capability
		* @tsk: The task to query
		* @cred: The credentials to use
		* @ns: The user namespace in which we need the capability
		* @cap: The capability to check for
		@@ -80,8 +79,8 @@ EXPORT_SYMBOL(cap_netlink_recv);
		* cap_has_capability() returns 0 when a task has a capability, but the
		* kernel's capable() and has_capability() returns 1 for this case.
		*/
		int cap_capable(struct task_struct tsk, const struct cred cred,
		struct user_namespace *targ_ns, int cap, int audit)
		int cap_capable(const struct cred cred, struct user_namespace targ_ns,
		int cap, int audit)
		{
		for (;;) {
		/* The creator of the user namespace has all caps. */
		@@ -222,9 +221,8 @@ static inline int cap_inh_is_capped(void)
		/* they are so limited unless the current task has the CAP_SETPCAP
		* capability
		*/
		if (cap_capable(current, current_cred(),
		current_cred()->user->user_ns, CAP_SETPCAP,
		SECURITY_CAP_AUDIT) == 0)
		if (cap_capable(current_cred(), current_cred()->user->user_ns,
		CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
		return 0;
		return 1;
		}
		@@ -870,7 +868,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
		& (new->securebits ^ arg2)) /[1]/
		\|\| ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /[2]/
		\|\| (arg2 & ~(SECURE_ALL_LOCKS \| SECURE_ALL_BITS)) /[3]/
		\|\| (cap_capable(current, current_cred(),
		\|\| (cap_capable(current_cred(),
		current_cred()->user->user_ns, CAP_SETPCAP,
		SECURITY_CAP_AUDIT) != 0) /[4]/
		/*
		@@ -936,7 +934,7 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
		{
		int cap_sys_admin = 0;

		if (cap_capable(current, current_cred(), &init_user_ns, CAP_SYS_ADMIN,
		if (cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
		SECURITY_CAP_NOAUDIT) == 0)
		cap_sys_admin = 1;
		return __vm_enough_memory(mm, pages, cap_sys_admin);
		@@ -963,7 +961,7 @@ int cap_file_mmap(struct file *file, unsigned long reqprot,
		int ret = 0;

		if (addr < dac_mmap_min_addr) {
		ret = cap_capable(current, current_cred(), &init_user_ns, CAP_SYS_RAWIO,
		ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
		SECURITY_CAP_AUDIT);
		/* set PF_SUPERPRIV if it turns out we allow the low mmap */
		if (ret == 0)

security/security.c

+3 −4

Original line number	Diff line number	Diff line
		@@ -157,8 +157,7 @@ int security_capset(struct cred new, const struct cred old,
		int security_capable(struct user_namespace ns, const struct cred cred,
		int cap)
		{
		return security_ops->capable(current, cred, ns, cap,
		SECURITY_CAP_AUDIT);
		return security_ops->capable(cred, ns, cap, SECURITY_CAP_AUDIT);
		}

		int security_real_capable(struct task_struct tsk, struct user_namespace ns,
		@@ -168,7 +167,7 @@ int security_real_capable(struct task_struct tsk, struct user_namespace ns,
		int ret;

		cred = get_task_cred(tsk);
		ret = security_ops->capable(tsk, cred, ns, cap, SECURITY_CAP_AUDIT);
		ret = security_ops->capable(cred, ns, cap, SECURITY_CAP_AUDIT);
		put_cred(cred);
		return ret;
		}
		@@ -180,7 +179,7 @@ int security_real_capable_noaudit(struct task_struct *tsk,
		int ret;

		cred = get_task_cred(tsk);
		ret = security_ops->capable(tsk, cred, ns, cap, SECURITY_CAP_NOAUDIT);
		ret = security_ops->capable(cred, ns, cap, SECURITY_CAP_NOAUDIT);
		put_cred(cred);
		return ret;
		}

security/selinux/hooks.c

+10 −13

Original line number	Diff line number	Diff line
		@@ -1414,8 +1414,7 @@ static int current_has_perm(const struct task_struct *tsk,
		#endif

		/* Check whether a task is allowed to use a capability. */
		static int task_has_capability(struct task_struct *tsk,
		const struct cred *cred,
		static int cred_has_capability(const struct cred *cred,
		int cap, int audit)
		{
		struct common_audit_data ad;
		@@ -1426,7 +1425,7 @@ static int task_has_capability(struct task_struct *tsk,
		int rc;

		COMMON_AUDIT_DATA_INIT(&ad, CAP);
		ad.tsk = tsk;
		ad.tsk = current;
		ad.u.cap = cap;

		switch (CAP_TO_INDEX(cap)) {
		@@ -1867,16 +1866,16 @@ static int selinux_capset(struct cred new, const struct cred old,
		* the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
		*/

		static int selinux_capable(struct task_struct tsk, const struct cred cred,
		struct user_namespace *ns, int cap, int audit)
		static int selinux_capable(const struct cred cred, struct user_namespace ns,
		int cap, int audit)
		{
		int rc;

		rc = cap_capable(tsk, cred, ns, cap, audit);
		rc = cap_capable(cred, ns, cap, audit);
		if (rc)
		return rc;

		return task_has_capability(tsk, cred, cap, audit);
		return cred_has_capability(cred, cap, audit);
		}

		static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
		@@ -1953,8 +1952,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
		{
		int rc, cap_sys_admin = 0;

		rc = selinux_capable(current, current_cred(),
		&init_user_ns, CAP_SYS_ADMIN,
		rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
		SECURITY_CAP_NOAUDIT);
		if (rc == 0)
		cap_sys_admin = 1;
		@@ -2858,8 +2856,7 @@ static int selinux_inode_getsecurity(const struct inode inode, const char name
		* and lack of permission just means that we fall back to the
		* in-core context value, not a denial.
		*/
		error = selinux_capable(current, current_cred(),
		&init_user_ns, CAP_MAC_ADMIN,
		error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
		SECURITY_CAP_NOAUDIT);
		if (!error)
		error = security_sid_to_context_force(isec->sid, &context,
		@@ -2992,7 +2989,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,

		case KDSKBENT:
		case KDSKBSENT:
		error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
		SECURITY_CAP_AUDIT);
		break;

Admin message